Opportunities Exist for the National Institutes of Health To Strengthen Controls in Place To Permit and Monitor Access to Its Sensitive Data
As part of the Department of Health and Human Services (HHS), the National Institutes of Health (NIH) is the largest public funder of biomedical research agency in the world, investing more than $30 billion in taxpayer dollars to achieve its mission. NIH's mission is to seek fundamental knowledge about the nature and behavior of living systems and the application of that knowledge to enhance health, lengthen life, and reduce illness and disability. OIG has identified risks related to the sharing of sensitive data.
Our objective was to assess whether NIH had adequate controls in place when permitting and monitoring access to NIH sensitive data.
We reviewed NIH's internal controls for monitoring and permitting access to sensitive data. To accomplish our objective, we used appropriate procedures from applicable Federal regulations and guidance. We reviewed NIH policies, procedures, and supporting documentation, and we interviewed NIH staff.
NIH should improve its controls when permitting access to sensitive NIH data. We provided a detailed restricted report to NIH, and we shared with NIH information about our preliminary findings before issuing our draft report to ensure that NIH could take prompt corrective actions.
We recommend that NIH work with an organization with expertise and knowledge in scientific data misuse. NIH could strengthen its controls by developing a security framework, conducting a risk assessment, and implementing additional appropriate security controls designed to safeguard sensitive data. We also recommend that NIH develop and implement mechanisms to ensure data security policies keep current with emerging threats. Lastly, we recommend that NIH make security awareness training and security plans a requirement.
NIH did not concur with our recommendations to develop a security framework, conduct a risk assessment, and implement additional controls for sensitive data. NIH concurred with our recommendations to ensure security policies keep current with emerging threats and to make training and security plans a requirement; however, NIH did not agree to the addition of controls to ensure training and security plan requirements have been fulfilled. NIH also stated that it recently established a working group to address and mitigate risk to intellectual property as well as to protect the integrity of the peer-review process.
We maintain that our findings and recommendations are valid. We recognize that NIH reported that it is already taking certain actions, such as the working group that was recently established, that may address our recommendations. We also provided NIH with other potential actions to address our findings and recommendations. If NIH determines that it does not need to strengthen its controls, it should document that determination consistent with applicable Federal regulations and guidance.
Filed under: National Institutes of Health